Safe Mode proves to be a valuable tool for hackers.Research published by CyberArk, a US cyber-security vendor, reveals various attack scenarios that leverage Windows Safe Mode to carry out malicious attacks undetected, harvest PC credentials from nearby workstations, or to disable security software.
The described attack is not a security vulnerability, but an exploitation scenario that can be carried out after a malicious actor has managed to compromise a PC and gain administrator privileges.
This hypothetical scenario is more than achievable because Windows computers get compromised with all sorts of malware on a daily basis, and various exploits are freely available to escalate privileges to admin level.
Safe Mode can help attackers cripple security software
The reason the attack works is because Windows allows applications to prompt the user to restart the PC, and secretly force the restart in Safe Mode.
Safe Mode is important to an attacker because it prevents all third-party software from starting, including antivirus systems.
When the computer reboots in Safe Mode, an attacker could alter registry keys for applications such as antivirus and anti-malware toolkits, which are hands off in Normal Mode and would trigger a security alert.
An attacker with a foothold on an infected system could leverage this technique to disable antivirus software for good and make sure his presence remains undetected until he finishes whatever malicious tasks he wants to carry out.
Users should avoid out-of-the-blue Safe Mode reboot prompts
Of course, the attack still relies on tricking users to allow the computer to reboot, and not being alarmed that they ended up in Safe Mode.
Executing most of the malicious commands while in Safe Mode takes little time, and the computer could then reboot again to Normal Mode, which would look less conspicuous since some Windows installation procedures are known to reboot PCs several times over.
Besides disabling security software installed on the PC, this attack scenario can be used to harvest login credentials from computers on the same network by utilizing the Pass-the-Hash attack.
Safe Mode can be leveraged to collect login credentials
Special tools are needed for this attack. Normally, an attacker would use registry keys to load these tools in Normal Mode. Since these aren’t allowed in Safe Mode, the attacker would need to disguise them inside malicious services and COM objects.
With all the tools available and loaded, the attacker can then collect NTLM password hashes for nearby PCs, for which tools exist to reverse them back to their cleartext versions.
This data can then be passed to the attacker, and used to escalate access to nearby systems when the PC returns to Normal Mode.
Additionally, this same attack can be used to steal credentials for the current PC as well. A typical attack relies on rebooting the PC in Safe Mode, showing a login prompt, logging the credentials, and then rebooting the PC in Normal Mode.
Because this is not a security vulnerability and also requires attackers to have already compromised systems, Microsoft, who CyberArk informed of this attack scenario, said it can’t do anything about it. And theoretically, it can’t.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.